1310 - Rule to check if both C-L and T-E are present
Other items
Proceedings of the planning meeting at the CRS Community Summit in Amsterdam / Things we want to do for 3.3
HTTP Header Whitelisting
Overhaul the complete tagging (@fzipi confirms he will put a student on this task)
Better support for non-European languages
Rule exclusion package for hosters
More node or JS rules -> better protection for the MEAN stack
More rules protecting users from python injections / attacks
consistent way dealing with transformations (working plan: apply different transformations to args at higher PL, save in TX:/xxx/, add TX:/xxx/ to every rule targetting ARGS)
Stop HTTP request smuggling once and for all (Content-Length + Transfer-Encoding)
Setup a series of demo-sites where people can test their attack payloads (PL1 to PL4)
Another CRS community Summit in 2020? -> 17 June 2020 in Dublin (?)
Close stale/old issues if no activity for N days: We are going to add a canned message to stale issues after N days asking for update or interest in fixing, then we're closing it after some time. The Github marketplace presents a standard procedure to get this by a bot via a stale-file in our repository: https://github.com/marketplace/stale (thank you @fzipi)
Special proposal of textglass.org developer Reza Naghibi. The idea is to expand Textglass into a WAF executing CRS rules. This would possibly also mean to change CRS and lean on said alternative engine with our project.
Feel free to add items as you see fit either above, or below as comments.
This is the Agenda for the Monthly CRS Chat.
The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, October 7, at 20:30 CET.
Items on the Agenda:
PRs
1585 - Change chain order
1584 - Correct example text regarding GeoIP
1583 - Add exception for Monit status check
1581 - Fix a FP in 942360 (#1580)
1569 - #1579 - New unit tests
1565 - update rx SQLi rule 942400
1548 - Sync with v3.2 php fp and java tags
1538 - Rule 941370: Remove deprecated t:removeComments
1534 - 920470: include chars from rfc 2046
1525 - Fix bypass in 931130
1310 - Rule to check if both C-L and T-E are present
Other items
Feel free to add items as you see fit either above, or below as comments.
If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM . Everybody is welcome to join our community chat.